ocitools is a collection of tools for working with the OCI specification.
# ocitools generate --help
NAME:
generate - generate a OCI spec file
USAGE:
command generate [command options] [arguments...]
OPTIONS:
--rootfs path to the rootfs
--read-only make the container's rootfs read-only
--privileged enabled privileged container settings
--hostname "acme" hostname value for the container
--uid "0" uid for the process
--gid "0" gid for the process
--groups [--groups option --groups option] supplementary groups for the process
--cap-add [--cap-add option --cap-add option] add capabilities
--cap-drop [--cap-drop option --cap-drop option] drop capabilities
--network network namespace
--mount mount namespace
--pid pid namespace
--ipc ipc namespace
--uts uts namespace
--selinux-label process selinux label
--tmpfs [--tmpfs option --tmpfs option] mount tmpfs
--args command to run in the container
--env [--env option --env option] add environment variable
--mount-cgroups "ro" mount cgroups (rw,ro,no)
--bind [--bind option --bind option] bind mount directories src:dest:(rw,ro)
--prestart [--prestart option --prestart option] path to prestart hooks
--poststop [--poststop option --poststop option] path to poststop hooks
--root-propagation mount propagation for root
--os "linux" operating system the container is created for
--arch "amd64" architecture the container is created for
--cwd "/" current working directory for the process
--uidmappings [--uidmappings option ] add UIDMappings e.g HostID:ContainerID:Size
--gidmappings [--gidmappings option ] add GIDMappings e.g HostID:ContainerID:Size
--apparmor specify the the apparmor profile for the container
--seccomp-default specify the the defaultaction of Seccomp syscall restrictions
--seccomp-arch [--seccomp-arch option ] specify Additional architectures permitted to be used
for system calls
--seccomp-syscalls [--seccomp-syscalls option] specify syscalls used in Seccomp
e.g Name:Action:Arg1_index/Arg1_value/Arg1_valuetwo/Arg1_op,
Arg2_index/Arg2_value/Arg2_valuetwo/Arg2_op
$ make
$ sudo make install
$ sudo ./test_runtime.sh -r runc
-----------------------------------------------------------------------------------
VALIDATING RUNTIME: runc
-----------------------------------------------------------------------------------
validating container process
validating capabilities
validating hostname
validating rlimits
validating sysctls
Runtime runc passed validation
The root filesystem tarball is based on Gentoo's amd64 stage3 (which we check for a valid GnuPG signature), copying a minimal subset to the root filesytem, and adding symlinks for all BusyBox commands. To rebuild the tarball based on a newer stage3, just run:
$ touch get-stage3.sh
$ make rootfs.tar.gz
If make rootfs.tar.gz
gives an error like:
gpg --verify downloads/stage3-amd64-current.tar.bz2.DIGESTS.asc
gpg: Signature made Thu 14 Jan 2016 09:00:11 PM EST using RSA key ID 2D182910
gpg: Can't check signature: public key not found
you will need to add the missing public key to your keystore. One way to do that is by asking a keyserver:
$ gpg --keyserver pool.sks-keyservers.net --recv-keys 2D182910